How to Run a Risk Assessment Program

Risk = Likelihood of Threat x Estimated Damage From Theat if it Occur

Or even more simply:

Risk = Probability x Severity

A risk assessment program is about identifying threats to assets, and the likelihood of the threats occurring in a given time period, estimating the potential damage if the threat is exploited, and implementing appropriate controls to offset the biggest and most likely risks first and best. All of this is made far easier on an initial and ongoing basis using a digital risk assessment or Governance, Risk, and Compliance (GRC) program. A risk assessment program can help you keep track of the various assets, threats, calculated risks, implemented controls, and accepted risks – on an ongoing basis. Calculations can be tweaked as assets, risks, and controls change over time. Here is a summary of the phases in any risk assessment program:

• Asset Inventory
• Identify Threats
• Risk Analysis
• Identify and Implement Offsetting Controls
• Evaluate and Update

Each of those phases will be covered in more detail below.

Asset Inventory

You can’t protect what you don’t know about. You need to get a detailed account of every significant asset in the company, starting with the grounds and buildings, vehicles, computer equipment, software, and everything that the company officially designates as an asset (with the notable exceptions of depreciation and goodwill). Your inventory should not include office supplies and minor items that are easy to replace. A good place to start to gather an inventory is in Accounting if you have an Accounting department. If not, start going around and taking a physical inventory. Your physical
inventory may exceed the official accounting inventory. Things not owned by the organization, but used by them, such as building and vehicle rentals, may be included in your inventory depending on the scope of your risk assessment. But in general, if you’re unsure if the asset is used by your organization, include it in your risk assessment.

Collect the following information about these assets (not all-inclusive and could vary by an organization)

• Name
• Description
• The purpose (or mission) and criticality
of the asset
• Type
• Cost/value
• Location
• Who owns and/or supports the asset
• User information (number of users, type of
users, etc.)
• Security requirements
• Storage information and protections
• Physical security
• Environmental security
• Miscellaneous
• Other

Identify Threats

Next, the threat model is the asset. What are the different threats and risks that could compromise, destroy, or disable wanted access? Understanding how to perform good threat modeling can help you with this part of the risk management program. Start by brainstorming to identify likely threats against the asset. It could be natural events (e.g.,
weather, floods, pandemics, etc.), or unnatural events (e.g., war, bombing, hacking, etc.). You need to focus on both physical and logical threats and attacks. Sometimes, it helps to identify particular categories of likely attackers, say malware, ransomware, nation-state attackers, script kiddies, financial thieves, physical criminals, insider threats, hacktivists, etc. Then create likely exploitation pathways. For example, attacks against computer assets are usually from one or more of the following categories:

• Programming bug (patch available or not
available)
• Social engineering
• Authentication attack
• Human error/misconfiguration
• Eavesdropping/MitM• Data/network traffic malformation
• Insider attack
• Third-party reliance issue (vendor/
dependency/watering hole)
• Physical attack
• Brand new attack vector (w/o current/default
mitigation)

While you don’t have to think of and identify every possible threat and risk, you are trying to capture the most likely and most potentially costly threats and risks. The more you capture, the better. No one ever got in trouble for identifying too many threats and risks. The screenshot below shows an example of sample risks listed in the KCM GRC program.

Elevate your business with our Managed IT Services in Vermont, designed for your success.”